Schmidt: The Basics of Critical Infrastructure

Who better to ignite a conference than the person who has to contend with potential hacks on the largest software company in the world's 6,000 servers and 100,000 PCs in more than 400 different locations around the globe, which is the makeup of what Schmidt smartly calls Microsoft's "digital central nervous system?"

While Schmidt ran through his slide presentation like he was late for a flight, he kept it interesting with a number of cracks and interesting observations. A former police officer, Schmidt told a story about when he was working in that capacity in Arizona. He said that a new subdivision had just been put in his area of coverage, and immediately the burglary rate shot up.

"We couldn't figure it out," Schmidt said. "But after some investigation, we found two things: 1) The door locks were vulnerable; all a perpetrator had to do was pop them off with a twist -- it took two seconds and 2) The slider windows; a perp just had to put a little pressure on the window and it slid right out of its tracks."

Schmidt's point was that once a few criminals figured this out, it was all over the criminal contingent in that area of Arizona.

And how did this relate to computer security? Schmidt maintained the analogy is clear: You can have what seems to be a rich, robust application, but the minute someone finds weaknesses, they will be shamelessly exploited all over the hacker world. Schmidt's point is that technological security is constantly evolving and if companies do not evolve with it, they are asking for trouble.

While Schmidt delved into mostly general points about security (such as the idea that since the mid-'80s, computer engineers have realized that security "is not going to come from a guy with a 43-inch chest, but from a guy with technical know-how"), he also managed to plug his illustrious and infamous company, referencing Microsoft's Information Assurance Program and its 10-step checklist of security. But he abbreviated said credo by listing six basic points.

Schmidt said to consider these factors before you build or license something important to your business: engineer it securely, administer security, test its defenses, eliminate weaknesses, investigate threats, and finally, but perhaps most importantly -- educate the world.

Schmidt ended his discussion there, but he did so by driving home the important point that companies should report hack attacks, worms, and viruses, because if they don't they are just paving the way for more perps to challenge a network's defenses.

Police Sgt. John J. McLean: How a Police Department Takes A Bite Out of Cybercrime

According to Medford, Mass.-based Police Sgt. John J. McLean, Internet crime is investigated and dealt with very carefully.

In his presentation, complete with a useful detailed handout of how to create profiles to lure potential perps, McLean discussed a number of different methods he and fellow officers use to catch the bad guys. There seem to be three main ingredients to investigating online crime -- detecting someone with a disposition to commit an offense online, going undercover to nab the guilty party, and making absolutely sure that you document the evidence.

And while McLean noted that this seems simple enough if an officer has the technical and investigative know-how, there is a major pitfall a law enforcer must be aware of: entrapment. McLean said detectives must know full well that there is a line they may not cross -- that there is such a thing as deceiving and luring a potential perp so effectively, that they are ensnared with no way out.

One ecurring theme that made McLean's presentation so interesting, if not perplexing, are the gray areas concerning both entrapment of a potentially guilty party and violating certain laws in regard to fraud, or bending the rules of identity to nab that suspect.

McLean often cited the example of child porn, which he noted was all-too-prevalent over the Internet. If an officer became suspicious of certain activities, he could create a profile complete with false identification and a picture. The law states that a child's picture may not be used, but if the officer agrees to it, he could use a picture of himself when he was younger -- one of many loopholes McLean said investigators use to lure a pederast. However, the picture can be used only after an investigator has culled sufficient evidence to make such a bold move. That is, in the process of give and take between a perp and an undercover officer posing as a child, the officer must be very careful not to be too aggressive and to let the perp make a certain amount of moves.

McLean said perps have gotten off the hook because of lack of hard evidence (via e-mail, bulletin boards, etc.) and entrapment. The crux of McLean's lecture, is that officers must be fully aware of the myriad of loopholes and pitfalls in online investigations a lawyer may use to score an acquittal for their defendants.

Enterprise Security: Know Thy System

Wayne Pierce and Keith Salustro of consulting firm Athena Security were happy to fill in for Cylink Corp. which was going to spearhead a cryptography segment were it not for inclement weather.

Pierce led the discussion, going over what may seem to be mundane (but absolutely necessary) protocols of protecting corporate security behind a firewall or virtual private network.

Pierce said most companies err by not keeping security for their business updated.

"Security is evolutionary," Pierce said. "What worked six months ago, is not necessarily what is going to work today because the sector moves at Internet speed."

After outlining the template of a security policy, which he called the Constitution of a company's protection, Pierce cited a number of cases in which his company's clients had security issues. Pierce said a regional reseller had lost several employees and later became suspicious that a rival firm was bidding lower prices for its products than the reseller itself. Pierce's company conducted an investigation and found that pricing information was being routed to another account. Pierce and Co. thwarted the espionage by reconfiguring the system -- problem solved.

Pierce also noted a fascinating distinction between amateur and professional hackers.

"The amateur hacker attacks a system," Pierce said. "The professional attacks a person."

What Pierce meant by this is that an ordinary hacker will look for vulnerabilities in a system, possible backdoors and things of that ilk. But a professional will latch on to a specific person and look for information via the unsuspecting employee. One such instance Pierce cited was a case with Motorola where a professional called up an employee, chatted him up, gained his confidence and then procured important account information.

Ultimately, Pierce's impromptu talk circled back to the same themes Schmidt's and McLean's discussions did -- that people must be much more aware of what's going in and out of their system, as well as testing it regularly for weaknesses. While these methods of network protection seem obvious on the surface, all of the conference participants said it is surprising how many people either aren't aware, or don't bother to secure their businesses.


Novatel Wireless Forms Strategic Alliance with YadaYada
Flawed DNS Table Hijacks Yahoo, Microsoft Traffic

About us -Site map -Advertisement -Jion us -Contact us - Exchange links - Sponsor us
Copyright© 2008 hzgn.com All Rights Reserved
Site made&Support support@hzgn.com    E-mail: web@hzgn.com